MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
SHA3-384 hash: 3ff88664a78d57475296377a7d8dd7d10df9345a568309dfcca75f960a557f2fe4de19254f81878cabfe6a1f5722944d
SHA1 hash: e6899048984813fdecd7d92863d387259dbd088c
MD5 hash: 772b5b1321a4343c95125fd41f36c80c
humanhash: yankee-four-romeo-arkansas
File name:772b5b1321a4343c95125fd41f36c80c.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:194'048 bytes
First seen:2022-03-05 17:55:44 UTC
Last seen:2022-03-05 19:35:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:dBgDQ+7AvxB/qpfG/XXiGK9/NPqXvQZlq0v2kmYwtertwIMptWz873LPsV6Jdx4U:r0AZJie/XUs/4lq0v2kmYwtertwIMptC
Threatray 1'308 similar samples on MalwareBazaar
TLSH T12714559D766072EFC857D472DEA82D68EA5074BB831F4203902715EDEA4D89BDF180F2
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247544/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.20159.21871.8293.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a file
Searching for the Windows task manager window
Sending an HTTP GET request
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Sending an HTTP POST request
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/839110c4-7eda-4168-85ca-b42138c562d8
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951217
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Uses known network protocols on non-standard ports
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583698 Sample: XdjFCYu5Lw.exe Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 84 store-images.s-microsoft.com 2->84 94 Sigma detected: Xmrig 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 14 other signatures 2->100 9 XdjFCYu5Lw.exe 5 6 2->9         started        13 Windows Security.exe 2->13         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 76 C:\Users\user\...\Windows Security.exe, PE32 9->76 dropped 78 C:\...\Windows Security.exe:Zone.Identifier, ASCII 9->78 dropped 122 Detected unpacking (changes PE section rights) 9->122 124 Obfuscated command line found 9->124 126 Self deletion via cmd delete 9->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->128 20 Windows Security.exe 14 5 9->20         started        25 cmd.exe 1 9->25         started        27 cmd.exe 13->27         started        29 c.exe 13->29         started        31 cmd.exe 13->31         started        33 cmd.exe 13->33         started        130 Changes security center settings (notifications, updates, antivirus, firewall) 15->130 35 MpCmdRun.exe 15->35         started        82 127.0.0.1 unknown unknown 17->82 file6 signatures7 process8 dnsIp9 86 111.90.143.200, 27941, 49766 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 20->86 72 C:\Users\user\AppData\Roaming\...\c.exe, PE32+ 20->72 dropped 102 Obfuscated command line found 20->102 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->104 37 c.exe 20->37         started        41 cmd.exe 2 20->41         started        48 2 other processes 20->48 50 4 other processes 25->50 74 C:\Users\user\AppData\Local\...\tmpD113.vbs, ASCII 27->74 dropped 106 Command shell drops VBS files 27->106 52 2 other processes 27->52 88 pool.hashvault.pro 29->88 108 Query firmware table information (likely to detect VMs) 29->108 44 conhost.exe 29->44         started        54 2 other processes 31->54 56 2 other processes 33->56 46 conhost.exe 35->46         started        file10 signatures11 process12 dnsIp13 90 46.4.27.39 HETZNER-ASDE Germany 37->90 92 pool.hashvault.pro 37->92 110 Antivirus detection for dropped file 37->110 112 Multi AV Scanner detection for dropped file 37->112 114 Query firmware table information (likely to detect VMs) 37->114 116 Machine Learning detection for dropped file 37->116 58 conhost.exe 37->58         started        80 C:\Users\user\AppData\Local\...\tmp5A3D.vbs, ASCII 41->80 dropped 118 Command shell drops VBS files 41->118 60 cscript.exe 1 41->60         started        62 conhost.exe 41->62         started        120 Obfuscated command line found 48->120 64 conhost.exe 48->64         started        66 powershell.exe 48->66         started        68 conhost.exe 48->68         started        70 powershell.exe 48->70         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 18:51:07 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2742cfe802405a6fec11b086434a4870f493b6931fd427b8b01ca797ca80732e
CoinMiner
42421c08872fa9a261dfe3184f7747d224ed3deb2c0420bbb2ce8f00387fd258
CoinMiner
5906182e34caa4c37339e8d87cb46c9b9788088450d8a4b7c2052db5dbb8d174
CoinMiner
600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b
CoinMiner
a1457e7a591877c3732325e462c479a450b19bda91ecaca0a37cdb137ed152ae
CoinMiner
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
CoinMiner
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
CoinMiner
e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
CoinMiner
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
CoinMiner
fc1b7bced544df8bcc71b729d5574092bf2e96660498a919fcc7f420c1c0ccc7
CoinMiner
+ 1'298 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220305-wh1m4aggg6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
e96710aa19e126bbe6b433b709e73d5d2d130f1e3520fe86d33d578039b7171b
MD5 hash:
be76cc45ff2f79354933d1c0336667c3
SHA1 hash:
f562faab325c54ee23b4595f8661e23165f317d9
Link:
https://www.unpac.me/results/af0b0e05-2506-437d-8de5-2e896547b54f/
SH256 hash:
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
MD5 hash:
772b5b1321a4343c95125fd41f36c80c
SHA1 hash:
e6899048984813fdecd7d92863d387259dbd088c
Link:
https://www.unpac.me/results/af0b0e05-2506-437d-8de5-2e896547b54f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247544/

Comments